Cybercrime Solution Has Bugs

Share

Cybercrime Solution Has Bugs

WASHINGTON – U.S. and European police agencies will receive new powers to investigate and prosecute computer crimes, according to a preliminary draft of a treaty being circulated among over 40 nations.

The Council of Europe's 65KB proposal is designed to aid police in investigations of online miscreants in cases where attacks or intrusions cross national borders.

But the details of the "Draft Convention on Cybercrime" worry U.S. civil libertarians. They warn that the plan would violate longstanding privacy rights and grant the government far too much power.

The proposal, which is expected to be finalized by December 2000 and appears to be the first computer crime treaty, would:

Make it a crime to create, download, or post on a website any computer program that is "designed or adapted" primarily to gain access to a computer system without permission. Also banned is software designed to interfere with the "functioning of a computer system" by deleting or altering data.

Allow authorities to order someone to reveal his or her passphrase for an encryption key. According to a recent survey, only Singapore and Malaysia have enacted such a requirement into law, and experts say that in the United States it could run afoul of constitutional protections against self-incrimination.

Internationalize a U.S. law that makes it a crime to possess even digital images that "appear" to represent children's genitals or children engaged in sexual conduct. Linking to such a site also would be a crime.

Require websites and Internet providers to collect information about their users, a rule that would potentially limit anonymous remailers.

U.S. law enforcement officials helped to write the document, which was released for public comment last Thursday, and the Justice Department is expected to urge the Senate to approve it next year. Other non-European countries actively involved in negotiations include Canada, Japan, and South Africa.

During recent testimony before Congress, Attorney General Janet Reno warned of international computer crime, a claim that gained more credibility last month with the arrest of alleged denial-of-service culprit Mafiaboy in Canada.

"The damage that can be done by somebody sitting halfway around the world is immense. We have got to be able to trace them, and we have made real progress with our discussions with our colleagues in the G-8 and in the Council of Europe," Reno told a Senate appropriations subcommittee in February, the week after the denial-of-service attacks took place.

"Some countries have weak laws, or no laws, against computer crimes, creating a major obstacle to solving and to prosecuting computer crimes. I am quite concerned that one or more nations will become 'safe havens' for cyber-criminals," Reno said.

Civil libertarians say the Justice Department will try to pressure the Senate to approve the treaty even if it violates Americans' privacy rights.

"The Council of Europe in this case has just been taken over by the U.S. Justice Department and is only considering law enforcement demands," says Dave Banisar, co-author of The Electronic Privacy Papers. "They're using one more international organization to launder U.S. policy."

Banisar says Article 6 of the measure, titled "Illegal Devices," could ban commonplace network security tools like crack and nmap, which is included with Linux as a standard utility. "Companies would be able to criminalize people who reveal security holes about their products," Banisar said.

"It will interfere with the ability of hackers – using that term in a favorable light – to test their own security and the security of others," Steinhardt said.

Solveig Singleton, director of information studies at the libertarian Cato Institute says it's likely – although because of the vague language not certain – that anonymous remailers will be imperiled.

The draft document says countries must pass laws to "ensure the expeditious preservation of that traffic data, regardless whether one or more service providers were involved in the transmission of that communication." A service provider is defined as any entity that sends or receives electronic communications.

Representing the U.S. in the drafting process is the Justice Department's Computer Crime and Intellectual Property section, which chairs the G-8 subgroup on high-tech crime and also is involved with a cybercrime project at the Organization of American States. In December 1997 Reno convened the first meeting on computer crime of the G-8 nations.

A recent White House working group, which includes representatives from the Justice Department, FBI, and Secret Service has called for restrictions on anonymity online, saying it can provide criminals with an impenetrable shield. So has a report from a committee of the European Parliament.

Other portions of the treaty include fairly detailed descriptions of extradition procedures and requirements for countries to establish around-the-clock computer-crime centers that police groups in other countries may contact for immediate help.

The Council of Europe is not affiliated with the European Union, and includes over 40 member nations, including Russia, which joined in 1996.

After the Council of Europe's expert group finalizes the proposed treaty, the full committee of ministers must adopt the text. Then it will be sent to countries for their signatures. Comments can be sent to daj@coe.int.